[strongSwan] NAT-T, SNAT/DNAT and TCP checksum incorrect on peer VPN gateway (site-to-site)
Narendra Joshi
narendraj9 at gmail.com
Tue Apr 21 22:39:31 CEST 2020
Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
writes:
> Hi,
>
> Those are likely all false leads. It's likely to be an MTU/MSS
> problem, which is described on the wiki[1].
Thank you very much for the quick response. I will follow the
instructions provided in the wiki.
Is there a tool that I can use to verify that it is MTU because of
which there is a failure to connect? I noticed incorrect values
for the TCP checksum on the host in the peer's subnet using
`tcpdump`. Moreover, ICMP seems to be working without any packet
loss at all. I can imagine that ICMP packets won't be large enough
to reach the MTU value (probably). Can MTU cause TCP checksum
failures? My networking knowledge is definitely limited here.
> Kind regards
>
> Noel
>
> [1]
> https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
>
> Am 21.04.20 um 20:38 schrieb Narendra Joshi:
>> Hi, I have setup an IPSec gateway on a virtual instance in a
>> VPC using a cloud provider. The cloud provider has Elastic IPs
>> that aren't attached to any network interface on the virtual
>> instance so strongSwan uses NAT-T. Also I need to do SNAT/DNAT
>> for mapping my side of the subnet that is advertised to my VPN
>> peer. I have found that this setup causes very frequent TCP
>> checksum failures. There are so frequent that an HTTP request
>> fails ~50% of the time because TCP connect times out. It would
>> be great if anyone who has faced something similar before can
>> help me understand what is happening and how it can be avoided.
>> Here is an image of the setup I have: Best regards,
>
--
Narendra Joshi
More information about the Users
mailing list